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(54) System and method for disaster recovery in an open metering system 

(57) System and method for securely backing up 
and reliably retrieving vault data in a metering system 
that includes a host processor operatively coupled to a 
vault. Whenever a transaction is completed by the vault, 
the vault cryptographically signs the vault data, Includ- 
ing ascending register, descending register and piece 
count and sends the cryptographically signed vault data 
to the host processor where it is stored in a data file 
assigned to the vault. Each storage of the cryptographi- 
cally signed vault data is indexed to create a historical 
log of vault transactions. If the vault is lost or damaged 
so that vault data cannot be retrieved from the vault, the 
cryptographically signed vault data is retrieved from the 
host processor data file and verified. 
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Description 

The present invention relates to advanced postage 
payment systems and, more particularly, to advanced 
postage payment systems having pre-computed post- s 
age payment information. 

The present application is related to the following 
U.S. Patent Applications Serial Nos. [Attorney Dockets 
E-415, E-416. E-417, E-418. E-419. E-421, E-444. E- 
452, E-463 and E-466], each filed concurrently here- io 
with, and assigned to the assignee of the present inven- 
tion. 

Postage metering systems are being developed 
which employ digital printers to print encrypted informa- 
tion on a mailpiece. Such metering systems are pres- 15 
ently categorized by the United States Postal Service as 
either closed systems or open systems. In a closed sys- 
tem, the system functionality is solely dedicated to 
metering activity. A closed system metering device 
includes a dedicated printer securely coupled to a 20 
metering or accounting function. In a closed system, 
since the printer is securely coupled and dedicated to 
the meter, printing cannot take place without account- 
ing. In an open metering system, the system functional- 
ity is not dedicated solely to metering activity. An open 25 
system metering device Includes a printer that is not 
dedicated to the metering activity, thus freeing system 
functionality for multiple and diverse uses in addition to 
the metering activity. An open system metering device Is 
a postage evidencing device (RED) with a non-dedi- 30 
cated printer that is not securely couplsi to a secure 
accounting module. 

Typically, the postage value for a mailpiece is 
encrypted together with other data to generate a digital 
token which is then used to generate a postage indicia 35 
that is printed on the mailpiece. A digital token is 
encrypted information that authenticates the informa- 
tion imprinted on a mailpiece including postal value. 
Examples of systems for generating and using digital 
tokens are described in U.S. Patent No. 4,757,537, 40 
4.831,555. 4,775,246, 4,873,645 and 4.725,718. the 
entire disclosures of which are hereby incorporated by 
reference. These systems employ an encryption algo- 
rithm to encrypt selected information to generate at 
least one digital token for each mailpiece. The encryp- 45 
tion of the information provides security to prevent alter- 
ing of the printed information in a manner such that any 
misuse of the tokens is detectable by appropriate verifi- 
cation procedures. 

Typical information which may be encrypted as part so 
of a digital token includes origination postal code, ven- 
dor identification, data identifying the PED, piece count, 
postage amount, date, and, for an open system, desti- 
nation postal code. These items of information, collect 
tively referred to as Postal Data, when encrypted with a 55 
secret key and printed on a mail piece provide a very 
high level of security which enables the detection of any 
attempted modification of a postal revenue block or a 
destination postal code. A postal revenue block is an 



image printed on a mail piece that includes the digital 
token used to provide evidence of postage payment. 
The Postal Data may be printed both in encrypted and 
unencrypted form in the postal revenue block. Postal 
Data serves as an input to a Digital Token Transforma- 
tion which is a cryptographic transformation computa- 
tion that utilizes a secret key to produce digital tokens. 
Results of the Digital Token Transformation, i.e.. digital 
tokens, are available only after completion of the 
Accounting Process. 

Transaction data stored in a metering system typi- 
cally include, for example, ascending register, descend- 
ing register, piece count, and any other necessary 
information that must be maintained with high integrity 
for each transaction of the meter. Such data may be 
needed to provide a user with a refund in the case of 
meter failure or meter loss. 

Heretofore, the integrity of data in a meter is main- 
tained using redundant non-volatile memory If the 
meter is damaged, this data must be recovered and ver- 
ified. Recovery often involves opening the meter and 
directly reading the data in memory by attaching a clip 
to the memory chip. 

For open metering systems, the metering unit may 
be a portable device such as a smart card or a PCMCIA 
card. Portable metering units may also be used with 
closed metering systems. Such portable cards present 
a problem with regard to retrieving transaction data 
when the portable card is lost or damaged beyond 
accessibility of such transaction records. 

The present invention provides a system and 
method for disaster recovery for an open metering sys- 
tem. The vault of the open metering system must be a 
secure device because it contains the accounting infor- 
mation of the amount of postage remaining in the vault 
and the postage printed. However, the very nature of the 
security makes it hard to recover postal funds in the 
event a malfunction occurs and the vault cannot be 
accessed by normal operation. The present invention 
enhances the reliability of a PC meter system by using 
the hard disk of the user PC to backup the accounting 
information of the vault. This provides a benefit that cer- 
tain functions, such as account reconciliation, can be 
performed even when vault malfunctions or is lost. Such . 
backup is unavailable in conventional postage meters. 

For further security, the backup transaction data 
can be cryptographically signed by the vault before 
being stored on the hard drive to prevent tampering. 
The number of transactions that are maintained on the 
hard drive is limited only by the available storage space 
on the hard drive. Preferably at least all transactions 
since the last refill would be maintained as backup. 

The above and other objects and advantages of the 
present invention will be apparent upon consideration of 
the following detailed description, taken in conjunction 
with accompanying drawings, in which like reference 
characters refer to like parts throughout, and in which: 

Fig. 1 is a block diagram of a PC-based metering 
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system in which the present invention operates: 
Fig. 2 is a schematic block diagram of the PC- 
based metering system of Fig, 1 including a remov- 
able vault card and a DLL In the PC; 
Fig. 3 is a schematic block diagram of the DLL in 5 
the PC-basied metering system of Fig. 1 including 
interaction with the vault to issue and store digital 
tokens; 

Fig, 4 is a flow chart of the vault process for signing 
and storing transaction records; io 
Fig. 5 is flow chart of the Transaction Capture sub- 
module in the PC-based, metering system of Fig. 1 ; 
and 

Fig. 6 is a flow chart of the recovery process when 
a vault card is damaged or lost. is 

In describing the present invention, reference is 
made to the drawings, wherein there is seen in Figs. 1 
and 2 an open system PC-based postage meter, also 
referred to herein as a PC meter system, generally 20 
referred to as 10, comprising a conventional personal 
computer configured to operate as a host to a remova- 
ble metering device or electronic vault, generally 
referred to as 20, in which postage funds are stored. As 
used herein, the term personal computer is used gener- 25 
ically and refers to present and future microprocessing 
systems with at least one processor operatively coupled 
to user interface means, such as a display and key- 
board, and storage media. The personal computer may 
be a workstation that is accessible by more than one 30 
user. 

PC meter system 10 uses the personal conputer 
and its printer to print postage on envelopes at the same 
time it prints a recipient's address or to print labels for 
pre-addressed return envelopes or large mailpieces. It 36 
will be understood that although the preferred embodi- 
ment of the present invention is described with regard to 
a postage metering system, the present invention is 
applicable to any value metering system that includes 
transaction evidencing. 40 

The PC-based postage meter 10 includes a per- 
sonal computer (PC) 12, a display 14, a keyboard 16, 
and an unsecured digital printer 1 8, preferably a laser or 
ink-jet printer. PC 12 includes a conventional processor 
22, such as the 80486 and Pentium processors manu- 45 
factured by Intel, and conventional hard drive 24, floppy 
drive(s) 26, and memory 28. Electronic vault 20, which 
is housed in a removable card, such as PCMCIA card 
30, is a secure encryption device for postage funds 
management, digital token generation and traditional so 
accounting functions. PC meter system 10 may also 
include an optional modem 29 which is located prefera- 
bly in PC 12. Modem 29 may be used for communicat- 
ing with a Postal Service or a postal authenticating 
vendor for recharging funds (d^it or credit). A deschp- 55 
tion of such communication by modem is described in 
U.S. Patent No. 4,831 ,555, incorporated herein by refer- 
ence. In an alternate embodiment the modem may be 
located in PCMCIA card 30. 



PC meter system 10 further includes a Windows- 
based PC software module 34 (Figs. 3 and 4) that is 
accessible from conventional Windows-based word 
processing, database and spreadsheet application pro- 
grams 36. PC software module 34 includes a vault 
dynamic link library (DLL) 40, a user interface module 
42, and a plurality of sub-modules that control the 
metering functions. The DLL is an application program- 
ming interface (API) that is used by In Wir^Jows-based 
programs. It will be understood that the present inven- 
tion is suitable for use with an API corresponding to 
other than Windows-based programs. 

DLL module 40 securely communicates with vault 
20 and provides an open interface to Microsoft Win- 
dows-based application programs 36 through user 
interface module 42. DLL module 40 also securely 
stores an indicia image and a copy of the usage of 
postal funds of the vault. User interface module 42 pro- 
vides application programs 36 access to an electronic 
indicia image from DLL module 40 for printing the postal 
revenue block on a document, such as an envelope or 
label. User interface module 42 also provides applica- 
tion programs the capability to initiate remote refills and 
to perform administrative functions. 

Thus, PC-based meter system 10 operates as a 
conventional personal computer with attached printer 
that becomes a postage rneter upon user request. 
Printer 18 prints alt documents normally printed by a 
personal computer, including printing letters and 
addressing envelqaes, and prints postage indicia. 

A description of the key components of PC-based 
meter system 10 are described below followed by a 
description of the preferred operation of PC-based 
meter system 10. A description of the digital token gen- 
eration process is disclosed in co-pending U.S. Patent 
Applications Serial Nos. [Attorney Dockets E-416, E- 
415 and E-419], which are incorpoi'ated herein in their 
entirety by reference. 

The vault is housed in a PCMCIA I/O device, or 
card, 30 which Is accessed through a PCMCIA control- 
ler 32 in PC 12. A PCMCIA card is a credit card size 
peripheral or adapter that conforms to the standard 
specification of the Personal Computer Memory Card 
International Association. 

Referring now to Figs. 2 and 3, the PCMCIA card 
30 includes a microprocessor 44, non-volatile memory 
(NVM) 46, clock 48, an encryption module 50 and an 
accounting module 52. The encryption module 50 may 
implement the NBS Data Encryption Standard (DES) or 
another suitable encryption scheme. In the preferred 
embodiment, encryption module 50 is a software mod- 
ule. It will be understood that encryption module 50 
could also be a separator device, such as a separate 
chip connected to microprocessor 44. Accounting mod- 
ule 52 may be EEPROM that incorporates ascending 
and descending registers as well as postal data, such 
as origination ZIP Code, vendor identification, data 
identifying the PC-based postage meter 10, sequential 
piece count of the postal revenue block generated by 
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the PC-based postage meter 10, postage amount and 
the date of submission to the Postal Service. As is 
known, an ascending register in a metering unit records 
the amount of postage that has been dispensed, I.e., 
issued by the vault, in all transactions and the descend- 
ing register records the value, i.e., amount of postage, 
remaining in the metering unit, which value decreases 
as postage Is Issued. 

The hardware design of the vault includes an inter- 
face 56 that communicates with the host processor 22 
through PCMCIA controller 32. Preferably, for added 
physical security, the components of vault 20 that per- 
form the encryption and store the encryption keys 
(microprocessor 44, ROM 47 and NVM 46) are pack- 
aged In the same integrated circuit device/chip that is 
manufactured to be tamper proof. Such packaging 
ensures that the contents of NVM 46 may be read only 
by the encryption processor and are not accessible out- 
side of the integrated circuit device. Alternatively, the 
entire card 30 could be manufactured to be tamper 
proof. 

The functionality of DLL 40 is a key component of 
PC-base meter 10. DLL 40 includes both executable 
code and data storage area 41 that Is resident in hard 
drive 24 of PC 12. In a Windows environment, a vast 
majority of applications programs 36, such as word 
processing and spreadsheet programs, communicate 
with one another using one or more dynamic link librar- 
ies. PC-based meter 10 encapsulates all the processes 
involved in metering, and provides an open interface to 
vault 20 from all Windows-based applications capable 
of using a dynamic link library. Any application program 
36 can communicate with vault microprocessor 44 In 
PCMCIA card 30 through DLL 40. 

DLL 40 includes the following software sub-mod- 
ules: secure communications 80, transaction captures 
82, secure indicia image creation and storage 84, and 
application interface module 86. The present invention 
relates to the transaction captures sub-module which is 
described below. A more detailed description of PC 
meter system 10 Is provided in related U.S. Patent 
Application Serial No. [Attorney Docket E-421] filed con- 
currently herewith and incorporated herein in its entirety 
by reference. 

Backup On Hard Drive 

Vault 20 must be a secure device because it con- 
tains the accounting information of the amount of post- 
age remaining in the vault and the postage printed. 
However, the very nature of the security mak^ it hard to 
recover postal funds in the event a malfunction occurs 
and the vault cannot be accessed by normal operation. 
The present invention enhances the reliability of a PC 
meter system by using the hard disk of the user PC to 
backup the accounting information of the vault. As pre- 
viously described, the transaction capture sub-module 
82 stores transaction flies as backup files on hard drive 
24. This provides a benefit that certain functions, such 



as account reconciliation, can be performed even when 
vault 20 malfunctions. Such backup is unavailable in 
conventional postage meters. 

For further security, the backup transaction data 

5 can be encrypted before being stored on hard drive 24 
to prevent tampering. The number of transactions that 
are maintained on hard drive 24 Is limited only by the 
available storage space on hard drive 24. Preferably, at 
least all transactions since the last refill would be main- 

10 tained as backup. 

In the preferred embodiment of the present inven^ 
tlon, the transaction record is cryptographically signed 
by the meter and stored on hard drive 24 in the transac- 
tion record file associated with the meter. By signing the 

15 transaction records in this manner, a user then cannot 
modify the data without detection. If the user tries to 
replay an old value of the data, It will not match any data 
remaining in the meter, and it will not match the piece 
counts of the latest mail pieces paid with the meter. The 

20 signed data can. be stored in the meter base. Thus, the 
present Invention provides a system and method for reli- 
ably recovering funds for lost, stolen or damaged 
meters based on the signed data stored on the hard 
drive. A similar function can be provided for closed sys- 

25 tern meters with a removable vault. 

The meter transaction record data is signed crypto- 
graphically, for example with a message authentication 
code (MAC). The signed data is stored in a hidden file in 
hard drive 24. (For closed metering systems with a 

30 removable vault the signed data would be stored in the 
meter base.) The data stored on hard drive 24 of PC 1 2 
can be recovered and authenticated against the most 
recent records of the data center and against any recent 
mailpiece piece counts recorded. The user cannot mod- 

35 ify the data on hard drive 24 without detection. If the 
user deletes the data, then the funds may be unrecover- 
able. 

If vault 20 is reported lost or stolen, the funds lost 
can be identified using the signed data on hard drive 24. 

40 The authenticity of the data can be checked by verifying 
the signature by vault 20. The freshness of the data can 
be checked by comparing the piece count in the signed 
data with the piece count on one of the most recent 
mailpieces mailed. For example, if the postal service 

45 frequently checks indicia and records the most recent 
piece count for each meter, then the postal service 
records can be used to authenticate the freshness of 
the data, if the data center records the value of the 
piece count at the most recent refill of vault 24, then 

so such data can also provide evidence for the freshness 
of the backup data stored on hard drive 24. 

The signed data in the hidden file can be updated 
each time an Indicia is processed or can be accumu- 
lated in an historical transaction record file. 

55 Referring now to Fig. 4, the process of cryptograph- 
ically signing a transaction record is shown. At step 200, 
a transaction record is created, for example, when vault 
20 issues a digital token or when vault 20 is refilled. At 
step 202, a transaction encryption key, stored in vault 
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20, for example, at manufacture, is obtained for digitally 
signing the transaction record at step 204. The signed 
transaction record is stored in vault 20 and sent to DLL 

40 in PC 12 at 206. The signed transaction record is 
stored in an invisible DLL storage file 41 on hard drive 5 
24 at step 208. Step 208 is described in more detail in 
the following paragraph. 

In accordance with the present invention, Transac- 
tion Capture sub-module 82 captures each transaction 
record received from vault 20 and records the transac- 10 
Won record in DLL 40 and in DLL storage area 41 on 
hard drive 24. If there is ample room on hard drive 24, 
such transaction captures can be stored for a plurality of 
different vaults. Referring now to Fig. 5, from the 
moment that a communication session is established, 15 
Transaction Capture sub-module 82 monitors message 
traffic at step 1 20, selectively captures each transaction 
record for token generations and refills, and stores such 
transaction records in DLL 40 at step 124 and in an 
invisible and write-protected file 83 in DLL storage area 20 

41 at step 1 26. The information stored for each transac- 
tion record includes, for example, vault serial number, 
date, piece count, postage, postal funds available 
(descending register), tokens, destination postal code 
and the block check character. A predetermined number 25 
of the most recent records Initiated by PC 12 are stored 

in file 83 which is an indexed historical file. In the pre- 
ferred embodiment file 83 is indexed according to piece 
count but may searched according to addressee infor- 
mation. File 83 represents the mirror image of vault 20 30 
at the time of the transaction except for the encryption 
keys and configuration parameters. Storing transaction 
records on hard drive 24 provides backup capability 
vyhich is described below. 

Referring now to Fig. 6, the process for recovering 35 
vault information when vault 20 is not available for infor- 
mation retrieval is shown. At step 220, the invisible 
transaction record file is read from DLL file 41 on hard 
drive 24. The encryption key used in signing the trans- 
action record in vault 20 when the token was issued, is 40 
retrieved, at step 222, from an escrowed holding, for 
example, from the manufacturer or the Data Center. At 
step 224. the signature of preferably each transaction 
record is verified, although verifying less than all the 
transaction records may be deemed adequate. At 226, 45 
it is determined whether all the verified signatures are 
correct. If not correct, then this indicates at 228 that the 
DLL storage file 41 has been modified. If correct, then 
the last recorded ascending register, descending regis- 
ter and piece count are determined at step 230. A com- so 
parison is made with the ascending register read from 
DLL storage file 41 with the-ascending register in the 
refill Data Center databases at step 232. If not the 
same, then, at step 234, the file is considered out of 
date which indicates tampering. If the same, then, at 55 
step 236, the piece count read from DLL storage file 41 
is compared with the highest piece count verified on a 
mailpiece. If the retrieved piece count is less than the 
verified piece count then, at step 234, the file is consid- 



ered out of date. If not less than, then the file is consid- 
ered reliable at step 238 and the retrieved information is 
used in place of vault 20. 

Thus in addition to storing meter transactions in the 
meter like convention postage meters, the present 
invention also stores transaction records on the PC hard 
drive in a secure manner. In this manner the present 
invention provides a means for disaster recovery when 
a vault card is lost, stolen or damaged beyond Informa- 
tion retrieval. 

While the present invention has been disclosed and 
described with reference to a single embodiment 
thereof, it will be apparent, as noted above that varia- 
tions and modifications maybe made therein. It is. thus, 
intended in the following claims to cover each variation 
and modification that falls within the true spirit and 
scope of the present invention. 

In the foregoing, the following attorney docket refer- 
ences indicate the US-applications shown in the follow- 
ing table. All these applications have corresponding 
European Applications and are hereby incorporated 
herein by reference: 

E-415 Serial No. 08/575,106 

E-416 Serial No. 08/575.107 

E-417 Serial No. 08/574,746 

E-418 Serial No. 08/574,745 

E-419 Serial No. 08/575,110 

E-420 Serial No. 08/574.743 

E-421 Serial No. 08/575.112 

E-444 Serial No. 08/575.109 

E-452 Serial No. 08/575,104 

E-463 Serial No. 08/574,749 

E-466 Serial No. 08/575,111 

E-462 Serial No. 08/588.499 

Claims 

1. A method of securely backing up vault data in a 
metering system that includes a host processor 
operatively coupled to a vault, comprising the steps 
of: 

storing a predetermined set of vault data in the 
vault; 

cryptographically signing in the vault the prede- 
termined set of vault data, including ascending 
register, descending register and piece count; 
sending the cryptographically signed vault data 
to the host processor ; 

storing the cryptographically signed vault data 
in a data file of the host processor. 

2. The method of claim 1 wherein the steps in claim 1 
are performed whenever a transaction is completed 
by the vault. 

3. The method of claim 2 comprising the further step 
of: 
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indexing in the data file each storage of the 
cryptographically signed vault data to create a 
historical log of vault transactions. 

4. A transaction evidencing system, comprising s 

a host processor including storage means; 
vault means operatlvely coupled to said host 
processor, said vault means including digital 
token generation means and transaction io 
accounting means; 

a printer operatively couple to said host proces- 
sor; 

means in said host processor for issuing a 
request for at least one digital token, said 16 
request for digital token including predeter- 
mined information required by said token gen- 
eration means; 

means in said host processor for securely com- 
municating with said vault means, said commu- 20 
nicating means sending said request for digital 
token to said vault means and receiving from 
said vault means a digital token generated by 
said token generation means; 
means in said host processor for capturing in 25 
said storage means a transaction record corre- 
sponding to said digital token, said transaction 
record including said digital token and said pre- 
determined information; and 
means operatlvely coupled to said host proces- so 
sor for generating an indicia bitmap from said 
digital token. 

5. The transaction evidencing system of claim 4, 
wherein said transaction record is encrypted before 3s 
being captured in said storage means. 

6. The transaction evidencing system of claim 4, 
wherein a plurality of consecutive ones of said 
transaction records are stored in said storage 40 
means as backup to information stored in said vault 
means. 

7. The transaction evidencing system of claim 4 
wherein said host processor is a personal computer 45 
(PC) including conventional processor, memory 
and storage means and said printer is an unse- 
cured, non-dedicated printer operatively coupled to 
said PC ; 

so 

8. The transaction evidencing system of claim 5 
wherein said vault means comprises a portable 
vault card that is removably coupled to said PC, 
said PC including means for removably coupling 
said vault card to said PC. 55 

9. The transaction evidencing system of claim 8, 
wherein said storage means is a hard drive of said 
PC. 
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10. A method for recovering vault data, the method 
comprising the steps of : 

retrieving cryptographically signed vault data 
from a data file in the host processor; 
verifying the signature of the cryptographically 
signed vault data ; and 

recovering the vault data from the cryptograph- 
ically signed vault data when the signature is 
verified. 
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